b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Security Controls Over Wireless Technology\n                  Were Generally in Place; However, Further\n                        Actions Can Improve Security\n\n\n\n                                      September 26, 2011\n\n                              Reference Number: 2011-20-101\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nSECURITY CONTROLS OVER WIRELESS                      laptops were authorized to access the network,\nTECHNOLOGY WERE GENERALLY IN                         the use of personal wireless devices is\nPLACE; HOWEVER, FURTHER ACTIONS                      prohibited.\nCAN IMPROVE SECURITY                                 In addition, the IRS developed software to\n                                                     enable laptops to wirelessly connect to the IRS\n                                                     network from non-IRS facilities (home, airport, or\nHighlights                                           hotel) and allowed its use by approximately\n                                                     300 users before the software was properly\nFinal Report issued on                               tested and approved for use enterprise-wide.\nSeptember 26, 2011                                   Due to a lack of proper controls, the software\n                                                     was improperly shared and is currently in use on\nHighlights of Reference Number: 2011-20-101          an unknown number of IRS computers, even\nto the Internal Revenue Service Chief                though the IRS has subsequently abandoned\nTechnology Officer.                                  this software and is currently testing a new\n                                                     configuration.\nIMPACT ON TAXPAYERS\n                                                     In addition, the IRS did not ensure timely\nThe Internal Revenue Service (IRS) currently         monitoring of the wireless router configuration\nuses limited wireless technology but is in the       files on the existing approved WLAN.\nprocess of expanding its use to help carry out its\nmission. TIGTA found that controls over              WHAT TIGTA RECOMMENDED\nwireless technology were generally in place;\n                                                     TIGTA recommended that the Chief Technology\nhowever, further actions can improve security.\n                                                     Officer 1) implement automated nationwide\nStrong security over wireless technology is\n                                                     network scans for unauthorized wireless activity,\ncritical for protecting IRS and taxpayer data from\n                                                     devices, and software using automated tools\nattacker exploits.\n                                                     and improve incident handling and investigation\nWHY TIGTA DID THE AUDIT                              processes so that when unauthorized wireless\n                                                     activity is identified, subsequent investigations\nThis audit is included in our Fiscal Year 2011       and disciplinary actions are effective; 2) ensure\nAnnual Audit Plan and addresses the major            that a security assessment and authorization is\nmanagement challenge of Security. The overall        completed for all wireless technologies prior to\nobjectives of this review were to determine          use in the IRS environment, in compliance with\nwhether the IRS has implemented effective            IRS policy; and 3) ensure the Enterprise\ncontrols to detect unauthorized use of the           Networks organization takes appropriate action\nwireless local area network (WLAN) technology,       to reinstate monitoring and tracking of\nand to determine whether the IRS\xe2\x80\x99s current           configuration files on the WLAN at the National\napproved wireless network at its National            Distribution Center at appropriate intervals to\nDistribution Center and its plans for increasing     ensure all files are set in accordance with IRS\nauthorized use of WLAN technology at IRS             security policy.\nfacilities are in accordance with Federal wireless\nsecurity standards.                                  The IRS agreed to take corrective actions to\n                                                     address Recommendations 1 and 3, but\nWHAT TIGTA FOUND                                     disagreed with Recommendation 2. The IRS\n                                                     disagreed that IRS policy requires completion of\nWhile IRS controls over wireless technology\n                                                     a security assessment and authorization on\nwere generally in place and operating\n                                                     wireless technologies that it is piloting or\neffectively, TIGTA found areas where\n                                                     demonstrating. TIGTA maintains that prior to\nimprovements can be made. Specifically, IRS\n                                                     placing wireless technologies on the live IRS\nnetwork scan data revealed that four users\n                                                     network, the IRS should ensure that it has\ninstalled and used personal unauthorized\n                                                     completed the required security assessment and\nwireless devices on their laptops to connect to\n                                                     authorization.\nthe IRS network. Although the users of these\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 26, 2011\n\n\n MEMORANDUM FOR CHIEF TECHONOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Security Controls Over Wireless Technology\n                             Were Generally in Place; However, Further Actions Can Improve\n                             Security (Audit #201120009)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) has implemented effective controls to detect the unauthorized use of the wireless local area\n network (WLAN) technology, and to determine whether the IRS\xe2\x80\x99s current approved wireless\n network at its National Distribution Center and its plans for increasing authorized use of WLAN\n technology at IRS facilities are in accordance with Federal wireless security standards. This\n audit is included in our Fiscal Year 2011 Annual Audit Plan and addresses the major\n management challenge of Security.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\x0c                         Security Controls Over Wireless Technology Were Generally\n                          in Place; However, Further Actions Can Improve Security\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Controls Over Wireless Technology Were Generally\n          in Place and Operating Effectively ............................................................... Page 4\n          Additional Actions Are Needed to Further Improve\n          Security Over Wireless Technology ............................................................. Page 5\n                    Recommendations 1 and 2: .............................................. Page 12\n\n                    Recommendation 3:........................................................ Page 13\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology ....................... Page 14\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 16\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 17\n          Appendix IV - Management\xe2\x80\x99s Response to the Draft Report ....................... Page 18\n\x0c       Security Controls Over Wireless Technology Were Generally\n        in Place; However, Further Actions Can Improve Security\n\n\n\n\n                     Abbreviations\n\nACIO           Associate Chief Information Officer\nERAP           Enterprise Remote Access Project\nEUES           End User Equipment and Services\nIRS            Internal Revenue Service\nUSB            Universal Serial Bus\nVPN            Virtual Private Network\nWLAN           Wireless Local Area Network\n\x0c                      Security Controls Over Wireless Technology Were Generally\n                       in Place; However, Further Actions Can Improve Security\n\n\n\n\n                                             Background\n\nWireless technology enables devices to communicate without physical connections, that is,\nwithout requiring network or peripheral cabling. It can offer many benefits, such as increased\nmobility, less costly installation, and easier scalability than wired technologies. However, it can\nalso pose significant risks to the critical infrastructure\nand assets of an organization if not properly\nimplemented and secured. Wireless communications are              Wireless technology can pose\n                                                1\nvulnerable to interception, denial of service, and                significant risks to the critical\n                                                                 infrastructure and assets of an\ndeception. The portability and wireless capability of              organization if not properly\nlaptops also create considerable risk. The following are            implemented and secured.\nexamples of well-known attacks used to exploit\nvulnerabilities in wireless technologies.\n    \xe2\x80\xa2   Readily available software tools to intercept and decipher data if strong encryption is not\n        used. Intercepted wireless traffic may contain sensitive data, such as taxpayer data, or\n        information that can be used to gain unauthorized access to other systems, such as\n        usernames and passwords.\n    \xe2\x80\xa2   Deployment of unauthorized wireless devices, such as access points, that are configured\n        to appear as part of the agency\xe2\x80\x99s wireless network infrastructure. If wireless devices are\n        not adequately secured, they could provide outsiders with an avenue into the internal\n        network and unauthorized access to corporate assets.\n    \xe2\x80\xa2   Eavesdropping on a dual connection that can occur when a laptop is not configured to\n        prevent more than one active Internet connection at a time\xe2\x80\x94for example, a computer\n        connected to a wired and a wireless network simultaneously can inadvertently become a\n        bridge between a trusted and an untrusted network. Attackers use this bridge to\n        eavesdrop on the user\xe2\x80\x99s network communications and potentially gain unauthorized\n        access to the agency\xe2\x80\x99s core network.\nThe Internal Revenue Service (IRS) currently deploys the following types of wireless technology\nand is in the process of testing and evaluating ways to expand its use as a commitment to\nimprove daily operations for its employees:\n    \xe2\x80\xa2   Wireless local area network (WLAN)\xe2\x80\x94a group of wireless networking nodes within a\n        limited geographic area that serve as an extension to existing wired local area networks.\n        Wireless networks are also known as Wi-Fi.\n\n1\n A denial of service attack inundates a computer system or network with traffic that overloads the system resources,\ncausing them to cease operations or lose network connectivity.\n                                                                                                            Page 1\n\x0c                      Security Controls Over Wireless Technology Were Generally\n                       in Place; However, Further Actions Can Improve Security\n\n\n\n    \xe2\x80\xa2   Wireless remote access software\xe2\x80\x94this software is used to enable wireless cards on\n        laptops to allow connectivity to a personal or public wireless access point (at home,\n        hotels, or airports) for accessing the Enterprise Remote Access Project (ERAP), which\n        establishes a virtual private network (VPN) for authorized users to access the IRS\n        network.\n    \xe2\x80\xa2   Wireless cellular networks\xe2\x80\x94a telecommunications network managed by a service\n        provider that supports smartphones, such as the BlackBerry,2 which offer the ability to\n        provide data such as email and Internet browsing wirelessly over cellular networks, and\n        cellular data cards, which provide Internet connectivity to laptop computers by accessing\n        cellular networks just as cell phones do.3\nThe Treasury Inspector General for Tax Administration has conducted two prior audits to detect\nunauthorized wireless access points at the IRS.\n    1. Our first audit report on wireless technology was issued in February 2003.4 During the\n       audit, we scanned for wireless access points at IRS facilities and found an unauthorized\n       wireless application in one location that was directly connected to the IRS-wide internal\n       network containing sensitive taxpayer information. We also had strong indications of an\n       unauthorized wireless application at another location, although we were unable to locate\n       a wireless device.\n    2. Our second audit report on wireless technology was issued in March 2007.5 During the\n       audit, we reported an unauthorized wireless application in one location was directly\n       connected to the IRS-wide internal network containing sensitive taxpayer information.\n       We also had strong indications of three other unauthorized wireless applications at other\n       locations.\n        We also reviewed the IRS\xe2\x80\x99s one authorized WLAN at the National Distribution Center in\n        Bloomington, Illinois, where wireless devices are used to scan bar codes on IRS\n        publications and forms and to transmit inventory data to a tracking system. During our\n        audit, the IRS Computer Security Incident Response Center,6 a part of the Modernization\n        and Information Technology Services organization, conducted penetration tests of the\n        network\xe2\x80\x99s wireless infrastructure in January and February 2006 to ensure it was securely\n        configured. The tests identified that one wireless access point was using a default\n\n\n2\n  BlackBerry phones are locked down and are unable to access the IRS network.\n3\n  Cellular data cards require that users go through the ERAP in order to access the IRS network.\n4\n  Use of Unapproved Wireless Technology Puts Sensitive Data at Risk (Reference Number 2003-20-056, dated\nFebruary 21, 2003).\n5\n  Sensitive Data Remain at Risk From the Use of Unauthorized Wireless Technology (Reference Number\n2007-20-060, dated March 28, 2007).\n6\n  Designed to ensure the IRS has a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d who are organized, trained, and equipped to\nidentify, contain, and eradicate cyber threats targeting IRS computers and data.\n                                                                                                            Page 2\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\n       configuration, security devices were not in place to detect attacks against the wireless\n       network, and security configurations were not being monitored. The IRS took immediate\n       action to correct the default configuration and installed a network intrusion prevention\n       system for the wireless network. However, by the end of our audit, the IRS had still not\n       installed the software required to continuously monitor the configuration files of the\n       wireless devices due to other higher priorities. Therefore, we recommended that the IRS\n       take appropriate action to monitor and track the configuration files on the wireless\n       network to ensure all files are set in accordance with current policy.\nThis review was performed at the New Carrollton Federal Building in New Carrollton,\nMaryland, in the Office of Cybersecurity during the period January through May 2011. We\nconducted this performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. Detailed information on our audit\nobjectives, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                          Page 3\n\x0c                      Security Controls Over Wireless Technology Were Generally\n                       in Place; However, Further Actions Can Improve Security\n\n\n\n\n                                       Results of Review\n\nControls Over Wireless Technology Were Generally in Place and\nOperating Effectively\nWe evaluated the controls the IRS implemented for securing its wireless networks and devices\nand found that the IRS:\n    \xe2\x80\xa2    Established a wireless security policy that was generally in compliance with Federal\n         standards.\n    \xe2\x80\xa2    Deployed continuous monitoring procedures for detecting rogue wireless access points\n         and other computing devices using a risk-based approach.\n    \xe2\x80\xa2    Uses a VPN to facilitate the secure transfer of sensitive data during remote access using\n         wireless technology.\nThe IRS still operates its one authorized WLAN at the National Distribution Center, where\nwireless devices are used to scan bar codes on IRS publications and transmit inventory data to a\ntracking system. We found that the wireless network components were properly configured, data\ntransmissions were adequately encrypted, and the WLAN generally complied with Federal\nwireless security standards.\nTo protect against unauthorized WLANs being deployed elsewhere, the IRS periodically scans\nits 3 computing centers7 and 10 campuses8 (and surrounding IRS facilities) using a manual\nscanning tool. The IRS has never found any unauthorized wireless connections to its network\nduring these scans. Due to resource constraints, the IRS cannot scan all of its offices\n(approximately 550 facilities). Therefore, it is investigating the procurement of portable\nscanning devices for use nationwide. In addition, the IRS has initiated implementation of an\nenterprise asset discovery tool which has the ability to identify unauthorized wireless devices on\nthe network.\nAs part of IRS Commissioner Schulman\xe2\x80\x99s Workforce of Tomorrow strategy, which is to make\nthe IRS one of the best places to work through technology improvements, the IRS is currently\nevaluating the expansion of two types of wireless technology: deployment of additional WLANs\n\n\n7\n  IRS computing centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n8\n  IRS service center campuses are the data processing arms of the IRS. They process paper and electronic\nsubmissions, correct errors, and forward data to the computing centers for analysis and posting to taxpayer accounts.\n                                                                                                             Page 4\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\nat IRS facilities and software configurations that allow laptop users to make wireless remote\naccess connections to the IRS network from non-IRS facilities (e.g., hotels, airports, or homes).\nWith the intent to expand the use of WLANs, the IRS has recently set up test WLANs in\ntwo locations as demonstrations that provide wireless access to the IRS network to selected\nemployees. Wireless access points connected to the IRS network allow employees direct access\nto the network using the built-in wireless network interface cards on their laptops. The IRS\ncompleted a risk assessment of this testing process and identified several recommendations for\nmitigating identified risks.\nWe confirmed that the IRS took steps to mitigate the risk of dual connection by utilizing a\nsoftware solution to prevent users from connecting simultaneously to a wireless and wired\nnetwork and creating an insecure bridge that attackers could exploit. We conducted limited\ntesting of this control and determined that it was in place and operating effectively. We also\nconfirmed that the IRS had changed the name of the wireless access point used in their testing to\nattract less attention from unauthorized users. Finally, we confirmed that the IRS used the most\ncurrent authentication and encryption technology available for wireless networks, called Wi-Fi\nProtected Access, as required by Federal standards.\nThe IRS is also evaluating the use of wireless remote software configurations that allow laptop\nusers to make wireless remote access connections to the IRS network from non-IRS facilities\n(e.g., hotels, airports, or homes). In April 2010, the IRS updated its security policy to allow\nenabling of wireless configurations on laptops to allow users to connect to IRS networks via their\nbuilt-in wireless network cards and utilizing the ERAP, the agency\xe2\x80\x99s secure VPN-based remote\naccess solution. The IRS wrote a software program in Fiscal Year 2010 to start testing the\nenablement of the built-in wireless network cards, and it is currently working towards an\nenterprise-wide solution for the usage of this wireless remote access feature.\n\nAdditional Actions Are Needed to Further Improve Security Over\nWireless Technology\nWhile we found that the IRS was generally complying with Federal wireless security practices,\nwe found four areas where improvements could be made to security over wireless technology\nused in the IRS.\n   \xe2\x80\xa2   Use of automated monitoring to improve detection of unauthorized wireless devices.\n   \xe2\x80\xa2   Adherence to IRS policy when developing new wireless technologies.\n   \xe2\x80\xa2   Timely monitoring of wireless router configuration files on the existing WLAN.\n   \xe2\x80\xa2   Addressing dual connection in IRS policy.\n\n\n\n                                                                                            Page 5\n\x0c                     Security Controls Over Wireless Technology Were Generally\n                      in Place; However, Further Actions Can Improve Security\n\n\n\nAutomated monitoring can better detect unauthorized wireless devices used to\naccess the ERAP\nDue to the complexity of properly configuring and ensuring a secure wireless connection, IRS\npolicy requires wireless devices to be acquired and provided by the Modernization and\nInformation Technology Services organization. Additionally, only authorized wireless\ntechnologies and devices that have a completed security assessment and authorization by the\nModernization and Information Technology Services organization and the Cybersecurity\norganization, a part of the Modernization and Information Technology Services organization, can\nbe used within the IRS. The purpose of this policy is to ensure that wireless devices are properly\nconfigured to comply with the IRS\xe2\x80\x99s security policies. IRS policy also prohibits users with\nadministrator privileges from altering any security component configurations or settings on their\nlaptops or desktops without written approval of the Designated Accrediting Authority. In\naddition, IRS policy prohibits personally owned equipment, such as wireless Universal Serial\nBus (USB) devices9 as pictured below, from being connected either directly or via VPN to the\nIRS network.\nThe Department of the Treasury security policy requires\nbureaus to ensure that unapproved wireless networking\ncapabilities of laptops and other devices are monitored\nthrough automated means for unauthorized changes.\nWe identified four IRS laptops which used personally\nowned USB wireless adapters to connect to the IRS\nnetwork via the ERAP during the time period January to\nMarch 2011. USB wireless adapters are not approved for\nuse at the IRS. Administrator privileges were required to\ninstall the USB wireless adapter drivers to enable the\nwireless connection to the ERAP using the USB wireless\nadapter.\nTwo of these laptops belonged to IRS employees, and two belonged to contractors. We found\nthree adapters installed on one contractor\xe2\x80\x99s laptop. The contractor stated that he tried but was\nunable to connect to the network with these devices. However, our research revealed that in fact\nhis computer did wirelessly connect to the network with one of these devices.\nEach of these users, after making the wireless remote connection, logged onto the IRS network\nvia the ERAP, which requires 2-factor authentication before granting the user access to the IRS\nnetwork. Although the USB wireless adapters were not authorized, the users were authorized to\naccess the IRS network. However, the installation and use of unauthorized wireless devices is\n\n\n9\n  Wireless USB adapters allow devices to connect to a wireless network. As of Calendar Year 2010, most newer\nlaptops come equipped with internal adapters, also called wireless network interface cards.\n                                                                                                        Page 6\n\x0c                     Security Controls Over Wireless Technology Were Generally\n                      in Place; However, Further Actions Can Improve Security\n\n\n\nprohibited by IRS policy because their use could put the IRS at risk of unauthorized access to its\nnetwork and data. We did not evaluate the security configurations of these laptops. However,\nduring the installation, users with administrative privileges could inadvertently or intentionally\nalter security settings that could expose the laptops to attacker exploits. For example, if the users\ndo not ensure that configurations are set to prevent dual connections, attackers could gain\nunauthorized access to the IRS network.\nWe identified these four laptops using a snapshot of IRS network scan data from Tivoli,10\ncollected once a week over a 6-week period, and device data collected by the IRS asset discovery\ntool called Business DNA.11 The IRS\xe2\x80\x99s current wireless monitoring efforts using their manual\nscanning tool would not have identified these instances of personal USB wireless adapters\nbecause the scanning at the computing centers and campuses is looking for wireless access\npoints. Enhancing the IRS\xe2\x80\x99s current manual scanning at its main sites with the use of the IRS\xe2\x80\x99s\nalready available automated scanning tools that collect data enterprise-wide can improve its\ncontinuous monitoring and detection of rogue wireless software and devices. This method would\nlower the resources needed while achieving enterprise-wide scanning coverage and provide data\non both unauthorized wireless access points and the use of unapproved wireless software and\ndevices.\nIn addition, we provided the IRS Computer Security Incident Response Center and the End User\nEquipment and Services (EUES) organization, divisions within the Modernization and\nInformation Technology Services organization, with the documentation for the four laptops that\nused the wireless USB adapters (including the specific laptops and names of the laptop owners).\nHowever, in response to the noncompliant activity we identified, the IRS was unable to complete\nsufficient follow-up activities to ensure the illegal wireless software was removed and\ndisciplinary actions were taken as necessary. Without adequate processes to handle incidents of\nnoncompliance with IRS security policy, the noncompliant activity may continue to put the IRS\nnetwork at risk of attacker exploits.\n\nAdherence to policy when developing new wireless technologies needs\nimprovement\nIRS policy requires that all wireless remote configurations must go through the Enterprise Life\nCycle12 process and be approved by the Associate Chief Information Officer (ACIO),\n\n\n10\n   The Tivoli\xc2\xae applications provide the IRS with the ability to systemically deliver the most current versions of\nsoftware and updated security patches to employees\xe2\x80\x99 computers and to scan the network for maintaining computer\ninventory records.\n11\n   Business DNA is an asset discovery tool that provides detailed hardware and software configuration information\nfor all devices connected to the network. The Department of the Treasury recently selected Business DNA as the\nenterprise tool for all bureaus to use in information technology asset discovery, inventory, and reporting.\n12\n   A structured business systems development method that requires the preparation of specific work products during\ndifferent phases of the development process.\n                                                                                                          Page 7\n\x0c                     Security Controls Over Wireless Technology Were Generally\n                      in Place; However, Further Actions Can Improve Security\n\n\n\nCybersecurity. In addition, all wireless networks and devices must have a completed security\nassessment and authorization before they are used within the IRS.\nFurther, the National Institute of Standards and Technology13 recommends that agencies establish\nand enforce usage restrictions and implementation guidance for wireless access. According to\nthe National Institute of Standards and Technology standards, security policies should identify\nwhich users are authorized to connect wirelessly to an agency\xe2\x80\x99s networks, detail which\nwireless-enabled devices can connect to the agency\xe2\x80\x99s networks remotely, and describe the types\nof external networks permitted. For example, policies should specify if users connecting\nremotely through public hot spots to an agency\xe2\x80\x99s networks are authorized to use only\nagency-issued mobile devices. In addition, the Department of the Treasury security policy\nrequires bureaus to establish usage restrictions and implementation guidance for wireless\ntechnologies and to document, monitor, and control wireless access to the information system.\nAs previously mentioned, the IRS is evaluating the expansion of two types of wireless\ntechnology for its employees.\nExpansion of the WLAN at IRS Facilities. Contrary to its wireless security policy, the IRS did\nnot intend to conduct a security assessment and authorization until after its WLAN\ndemonstrations on the IRS network were complete. The IRS planned to take what they learned\nfrom these demonstrations, make final decisions on equipment needs, and then proceed with the\nformal security assessment and authorization process. The IRS also stated that conducting the\ndemonstration on the production network would give them a better sense of what the true\nimplications of the WLAN would be and would allow a large number of people to participate.\nHowever, after we began our review, the Cybersecurity organization completed a risk assessment\nof the WLAN security controls in February 2011, and the Designated Accrediting Authority\nsigned a memorandum accepting the reported risks and authorizing the demonstrations to operate\non the IRS production network. In addition, the Architecture and Implementation division, a part\nof the Cybersecurity organization, signed a waiver for the WLAN\xe2\x80\x99s use of products not yet\napproved for use in the IRS environment. We reviewed the components of the WLAN being\ndemonstrated at the New Carrollton Federal Building and found the WLAN generally complied\nwith Federal security requirements for wireless networks.\nExpansion of Wireless Remote Access by Employees. The wireless remote configuration in use\nat the IRS to access the ERAP had not been properly assessed or approved for use in the IRS\nenvironment. In early 2010, a wireless configuration was developed to provide IRS employees\nwireless access to the IRS network while at off-site locations such as hotels and airports.\nAccording to EUES organization management, approximately 300 users were allowed to\n\n\n13\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines, including minimum requirements, for providing adequate information security\nfor all Federal Government agency operations and assets.\n                                                                                                         Page 8\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\nparticipate in a limited demonstration of the technology at an IRS conference in May 2010.\nRather than removing the wireless capability from the users until proper security testing and\napprovals of the configuration were completed, EUES organization officials informed us that the\nconfiguration remains in use. They also informed us that controls were not in place to prevent\nthe configuration from being shared with unauthorized users, and that they believed the\nconfiguration was in fact being shared with users that were not a part of the May 2010\ndemonstration. We identified 12 users who were not associated with the May 2010\ndemonstration but used a wireless remote configuration to access the ERAP during January\nthrough March 2011.\nThe ACIO, Cybersecurity, disagreed that this software that was demonstrated in May 2010\nrequired the completion of the Enterprise Life Cycle or a security assessment and authorization\nat this stage in its development. The ACIO stated that the EUES and Cybersecurity\norganizations planned to evaluate how wireless remote access worked in the production\nenvironment and gather feedback from the users at the demonstration to help shape the ultimate\ndesign of the wireless solution for when it is deployed. In addition, the ACIOs of the\nCybersecurity and EUES organizations indicated they were not concerned about, and had no\nneed to know, which users and computers have the unapproved configuration installed, as use of\nthe configuration poses no security risk because the ERAP process controls access to the IRS\nnetwork.\nWe did not identify any security vulnerabilities related to this configuration. However, as system\nadministrators install this configuration for themselves or for others, we believe that settings\ncould be changed that leave vulnerabilities exposed. We also believe that the IRS should know\nwhich users and computers have installed software while still in a demonstration phase, in the\nevent that the IRS determines the configuration did not meet current or future IRS standards or\nrequires security patches or updates until an enterprise-wide solution is approved.\nThe IRS shared with us that this software had subsequently been abandoned for a new wireless\nremote configuration, which is currently undergoing testing. The IRS has no idea on which\nlaptop computers the older configuration resides. As a result, unapproved and untested software\nis currently in use on an unknown number of IRS computers. If security problems are\ndiscovered during testing of the new configuration that may also affect the old one, the IRS\ncannot ensure the removal of the old configuration.\nIRS policy helps to ensure proper controls are placed over the development and use of wireless\nremote configurations. Without adhering to these controls, the IRS risks the introduction of\nconfigurations into the production environment that could contain security vulnerabilities.\nFor both wireless expansion efforts, the ACIO, Cybersecurity, and Treasury Inspector General\nfor Tax Administration disagreed on how to interpret IRS policy, which states that wireless\nnetworks, devices, and remote access configurations must have a completed security assessment\nand authorization before they are used within the IRS. The ACIO, Cybersecurity, believed IRS\n\n                                                                                           Page 9\n\x0c                   Security Controls Over Wireless Technology Were Generally\n                    in Place; However, Further Actions Can Improve Security\n\n\n\nuse of the WLAN networks and wireless remote configuration software prior to completion of a\nsecurity assessment and authorization was not contrary to IRS policy because (1) wireless access\nto the IRS network is no longer prohibited (based on the April 2010 policy update); (2) the\ndemonstration-type testing of wireless technologies is intentionally performed prior to beginning\nthe Enterprise Life Cycle to allow the IRS to determine what wireless components it plans to\nimplement enterprise-wide and, once determined, would then warrant completion of the\nEnterprise Life Cycle milestone, testing, and approval processes; and (3) he was aware and had\nverbally approved of the actions taken in both the WLAN and wireless remote configuration\ninstances.\nWe are concerned that, without requiring proper security assessments and authorizations before\nallowing use of wireless technology in the IRS environment, security flaws could exist in the\nuntested technology that could leave the IRS open to attacks that exploit wireless networks or\ntransmissions.\n\nCorrective action to ensure timely monitoring of configuration files, taken in\nresponse to a prior audit finding at the National Distribution Center, was not\neffective\nTo minimize network security vulnerabilities and exposures, the IRS guidelines, standards, and\nprocedures require IRS staff to periodically assess compliance of all network components, such\nas switches and routers. IRS staff should use configuration validation tools to measure\ncompliance against the established security baseline.\nThe IRS currently has one authorized WLAN at its National Distribution Center, where wireless\ndevices are used to scan bar codes on IRS publications and transmit inventory data to a tracking\nsystem. In March 2007, we reported that the IRS was not adequately monitoring the security\nconfigurations on the WLAN. The IRS agreed to monitor the configuration files on the WLAN\non a monthly basis to ensure all configurations adhered to IRS standards.\nDuring our current review, we found that the IRS had not been conducting the manual monthly\nreviews of the configuration files for the two switches on the WLAN as they had agreed to do in\nresponse to our prior finding. Per the IRS, the last validation of the configuration files for these\nswitches occurred during December 2009.\nThe cause for not monitoring configurations as planned was due to a reorganization of the\nterritory and loss of personnel. Enterprise Network organization managers, a part of the\nModernization and Information Technology Services organization, failed to identify and reassign\nthis responsibility after the employee who had been responsible for the monthly manual\nmonitoring had been transferred. Enterprise Network organization managers assumed the\nconfiguration files for these switches were being captured electronically and reviewed remotely.\nThe Enterprise Network organization staff informed us that the configuration files for these two\nswitches cannot be reviewed remotely because these switches sit behind the devices that encrypt\n\n                                                                                            Page 10\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\nthe wireless network. The Enterprise Network organization staff also informed us that they\nbelieve manually pulling the configurations for these switches every 3 months, rather than\nmonthly, would be adequate. They believe the less frequent reviews would be adequate due to\nthe wireless detection systems they have installed, the infrequent changes to the switches, and the\ncost of manpower and travel to the site to conduct the reviews.\nNetwork switches provide services that are essential to the operation of the IRS local area\nnetworks and the customers they serve. Poor security can expose the entire IRS network,\ncomponents, and configurations to attackers whose goal is to reduce network and data integrity.\nCompromise of a network switch can lead to reduced performance, denial of service, and\nexposure of sensitive taxpayer data. Inadequate monitoring of the configuration files for the\nwireless network switches could increase the likelihood of the network being compromised and\noperations disrupted.\n\nSecurity policy did not address dual connection\nThe National Institute of Standards and Technology guidelines recommend that laptops be\nconfigured to not allow the simultaneous use of more than one network interface; that is, the\nwireless capability of the laptop should be turned off or disabled when the laptop is connected to\nthe agency\xe2\x80\x99s wired network. If wireless-enabled laptops are not configured to prevent\nsimultaneous (or dual) connections, an attacker could connect to the laptop\xe2\x80\x99s wireless interface\nwhile the laptop is connected to the agency\xe2\x80\x99s wired network, potentially allowing the attacker\nunauthorized access to the agency network.\nThe Government Accountability Office reported in November 2010 that many agencies had not\naddressed the risk of dual connection of laptops in their security policies, and none of the five\nagencies where the Government Accountability Office conducted detailed testing had\nimplemented controls to prevent it.\nWe reviewed the IRS\xe2\x80\x99s wireless security policy and found that it did not address the risk of dual\nconnection on wireless-enabled laptops. We also noted that the Department of the Treasury\nsecurity policy did not address dual connection in November 2010; however, it issued a security\npolicy update in March 2011 that does address dual connection.\nThe IRS informed us that the software installed on users\xe2\x80\x99 laptops to enable WLAN connectivity\nfor participating in the demonstrations includes an \xe2\x80\x9cexclusive connection\xe2\x80\x9d feature which allows\nno more than one active connection at a time and therefore addresses the dual connection risk.\nWe tested this control during our visit to New Carrollton and found that it worked effectively to\nprevent dual connection.\nHowever, until the IRS fully documents policies prohibiting dual connections, an increased risk\nexists that future wireless technology projects may not implement sufficient controls to address\nthis risk, potentially allowing an attacker to exploit this vulnerability and gain unauthorized\naccess into the IRS network to destroy, modify, or copy sensitive information.\n\n                                                                                          Page 11\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\nManagement Action: The IRS updated the Internal Revenue Manual during our fieldwork to\naddress the condition above. The Internal Revenue Manual now requires that WLAN clients be\nconfigured so only one active physical network connection is possible, either wired or wireless,\nat any time and that WLAN clients be configured to prevent dual connections.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 1: Implement automated nationwide network scans for unauthorized\nwireless activity, devices, and software using Tivoli or Business DNA, and improve processes to\nhandle incidents of noncompliance with IRS security policy so that when unauthorized wireless\nactivity is identified, subsequent investigations and disciplinary actions are effective.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       use a set of automated tools to determine wireless activity, devices, and software as part\n       of full deployment of a wireless strategy. In conjunction with the automated tools, the\n       IRS will incorporate the use of wireless network scanners in areas where it determines\n       there is the potential for the greatest risk.\nRecommendation 2: Ensure that a security assessment and authorization is completed for all\nwireless technologies prior to use in the IRS environment, in compliance with IRS policy.\n       Management\xe2\x80\x99s Response: The IRS disagreed with this recommendation. IRS\n       policy does not require completion of a security assessment and authorization on\n       technologies, but rather on information systems. IRS policy requires that new\n       technology, such as wireless technology, undergo security assessment and authorization\n       when it is utilized by an IRS information system that is being designed, developed, and\n       expected to be ultimately deployed into full production. In the case of the wireless pilot,\n       a risk assessment was performed and the Authorizing Official authorized the pilot to\n       begin. However, a full security assessment and authorization for the wireless pilot would\n       be premature as the wireless pilot was still in the design phase and being conducted in an\n       area where users had little access to taxpayer data. Performing security assessment and\n       authorizations on pilots, tests, and/or demonstrations would not allow the IRS the ability\n       to make effective risk-based decisions regarding the appropriate, secure, and\n       cost-effective use of what in this case was wireless technology.\n       Office of Audit Comment: We agree that IRS policy would not require the\n       completion of a security assessment and authorization if the IRS conducted its wireless\n       pilots and demonstrations on a test network. However, the IRS placed the wireless pilot\n       on the live IRS network. Likewise, the IRS demonstrated the wireless remote access\n       configuration that still provides an unknown number of users access to the live IRS\n       network prior to completing any security assessment and authorization activities. At the\n\n                                                                                          Page 12\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\n       start of our review, the IRS had informed us that it did not plan to perform any security\n       assessment and authorization activities for its wireless pilots or demonstrations. We\n       agree that the risk assessment that the IRS subsequently conducted prior to deploying the\n       wireless pilot helped to mitigate potential risks. However, prior to piloting,\n       demonstrating, or any use of wireless technology on the live IRS network, we continue to\n       recommend that the IRS remain diligent in completing commensurate security\n       assessment and authorization activities in compliance with IRS policy in order to detect\n       and avoid security risks that could leave the IRS open to attacks.\nRecommendation 3: Ensure the Enterprise Networks organization takes appropriate action to\nreinstate monitoring and tracking of configuration files on the WLAN at the National\nDistribution Center at appropriate intervals to ensure all files are set in accordance with IRS\nsecurity policy.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. Enterprise\n       Networks has assigned the site to an employee to reinstate routine monitoring and\n       tracking of configuration files on the WLAN at quarterly intervals to ensure all files are\n       set in accordance with IRS security policy.\n\n\n\n\n                                                                                           Page 13\n\x0c                     Security Controls Over Wireless Technology Were Generally\n                      in Place; However, Further Actions Can Improve Security\n\n\n\n                                                                                                 Appendix I\n\n        Detailed Objectives, Scope, and Methodology\n\nOur objectives were to determine whether the IRS has implemented effective controls to detect\nthe unauthorized use of the WLAN technology, and to determine whether the IRS\xe2\x80\x99s current\napproved WLAN at its National Distribution Center and its plans for increasing the authorized\nuse of WLAN technology at IRS facilities are in accordance with Federal wireless security\nstandards. To accomplish these objectives, we:\nI.      Evaluated the adequacy of IRS policies related to wireless technology.\nII.     Evaluated IRS efforts at identifying unauthorized wireless access points and devices.\n        A. Determined whether IRS corrective action from our prior report1 was implemented.\n        B. Obtained and reviewed Tivoli2 and Business DNA3 data.\nIII.    Provided information to the IRS (for further investigation) on any potential unauthorized\n        devices or access points we identified.\nIV.     Identified software utilities that may be able to remotely scan for unauthorized wireless\n        activity.\nV.      Determined whether the IRS-approved WLAN at the National Distribution Center was\n        configured in accordance with Federal wireless security standards.\n        A. Determined whether IRS corrective action from our prior report4 was implemented.\n        B. Obtained and reviewed the current WLAN design documentation.\nVI.     Determined whether the IRS\xe2\x80\x99s plans for increasing the authorized use of WLAN\n        technology at IRS facilities was in accordance with Federal wireless security standards.\n        A. Obtained and reviewed the IRS design documents for its WLAN demonstration.\n\n1\n  Use of Unapproved Wireless Technology Puts Sensitive Data at Risk (Reference Number 2003-20-056, dated\nFebruary 21, 2003).\n2\n  The Tivoli\xc2\xae applications provide the IRS with the ability to systemically deliver the most current versions of\nsoftware and updated security patches to employees\xe2\x80\x99 computers and to scan the network for maintaining computer\ninventory records.\n3\n  Business DNA is an asset discovery tool that provides detailed hardware and software configuration information\nfor all devices connected to the network. The Department of the Treasury recently selected Business DNA as the\nenterprise tool for all bureaus to use in information technology asset discovery, inventory, and reporting.\n4\n  Sensitive Data Remain at Risk From the Use of Unauthorized Wireless Technology (Reference Number\n2007-20-060, dated March 28, 2007).\n                                                                                                         Page 14\n\x0c                  Security Controls Over Wireless Technology Were Generally\n                   in Place; However, Further Actions Can Improve Security\n\n\n\n       B. Determined whether the IRS WLAN demonstration design documents met Federal\n          standards for deploying and monitoring a secure WLAN.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IRS\xe2\x80\x99s policies, procedures, and\npractices for ensuring wireless technology is compliant with Federal standards. We evaluated\nthese controls by interviewing Cybersecurity and EUES organization officials, reviewing\nnetwork scan data, evaluating design documentation of the existing and planned WLANs, and\ntesting WLAN demonstration components.\n\n\n\n\n                                                                                        Page 15\n\x0c                 Security Controls Over Wireless Technology Were Generally\n                  in Place; However, Further Actions Can Improve Security\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nLarry Reimer, Audit Manager, Technical Audit Group\nCari Fogle, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nVictor Taylor, Auditor\n\n\n\n\n                                                                                     Page 16\n\x0c                Security Controls Over Wireless Technology Were Generally\n                 in Place; However, Further Actions Can Improve Security\n\n\n\n                                                                       Appendix III\n\n                       Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nChief Counsel CC\nDirector, Wage and Investment Business Systems Planning SE:W:BMO:BSP\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison:\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 17\n\x0c     Security Controls Over Wireless Technology Were Generally\n      in Place; However, Further Actions Can Improve Security\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 18\n\x0cSecurity Controls Over Wireless Technology Were Generally\n in Place; However, Further Actions Can Improve Security\n\n\n\n\n                                                      Page 19\n\x0cSecurity Controls Over Wireless Technology Were Generally\n in Place; However, Further Actions Can Improve Security\n\n\n\n\n                                                      Page 20\n\x0cSecurity Controls Over Wireless Technology Were Generally\n in Place; However, Further Actions Can Improve Security\n\n\n\n\n                                                      Page 21\n\x0c'